The sign for the VMware headquarters in Palo Alto, Calif. ("VMware headquarters" by Ferran Rodenas is licensed under CC BY-NC-SA 2.0.)

VMware released security updates Tuesday for three critical vulnerabilities in its Workspace ONE Assist product, which allows IT and help desk staff to remotely support employees.

Three of the vulnerabilities allowed a malicious actor with network access to Workspace ONE Assist to obtain administrative access without the need to authenticate to the application. The flaws are tracked as CVE-2022-31685 (authentication bypass vulnerability), CVE-2022-31686 (broken authentication method vulnerability), and CVE-2022-31687 (broken access control vulnerability). 

Also fixed in the security update for Workspace ONE Assist were two moderate vulnerabilities — one a reflected cross-site scripting (XSS) vulnerability (CVE-2022-31688), and the other a session fixation vulnerability due to improper handling of session tokens (CVE-2022-31689).

All of the vulnerabilities were reported by staff members of Dutch firm Reqon IT-Security. 

See VMware’s advisory for more information on the vulnerabilities.